乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-12-06: 细节已通知厂商并且等待厂商处理中 2013-12-10: 厂商已经确认,细节仅向厂商公开 2013-12-20: 细节向核心白帽子及相关领域专家公开 2013-12-30: 细节向普通白帽子公开 2014-01-09: 细节向实习白帽子公开 2014-01-20: 细节向公众公开
注入很一般啦,但是这个文件泄露特别奇葩
无意中发现正常访问jsp文件,正常显示。在路径后面加两个点就侧漏了,你见到过吗?http://www.gz-l-tax.gov.cn/conn.jsp..数据库配置信息
搜索页面http://www.gz-l-tax.gov.cn/search.jsp..
相关代码,没有任何过滤,各种侧漏:
<%@ include file="top.jsp" %><% String key=request.getParameter("key");//获取表单中输入的值 String term=request.getParameter("term"); String colu=request.getParameter("colu"); String inta=request.getParameter("inta"); String insert=request.getParameter("insert"); if(insert!=null&&insert.equals("a")){if(key.trim().length()!=0){ byte c[]=key.getBytes("ISO-8859-1"); key=new String(c);} else{out.println("<script>alert('错误,请输入查询关键字');history.back();</script>"); return;} if(inta==null){out.println("<script>alert('错误,请选择查询范围');history.back();</script>"); return;} inta=inta.trim(); String entry=""; String entry1=""; if(inta.equals("artic")&&term.equals("local")){entry="and carry like '%"+carry+"%'";} if(term.equals("all")){entry="";} if(colu.trim().length()!=0){entry1="and the_colu='"+colu+"'";} if(inta.equals("laws")&&term.equals("local")){entry="and area='"+area0+"'";}%> <% ResultSet rt=null;rt=sql.executeQuery("select count(*) from talent."+inta+" where title like '%"+key+"%' and state='pub' "+entry+" "+entry1+" order by id desc" );rt.next();int total=rt.getInt(1);//取得整数保存在total变量中String start;//定义变量用来传递pageint starset;//页面参数start=request.getParameter("starset");//取得当前的页码if(start==null){starset=1;}//判断初始页面,如果没有显示记录,就置为第一页else{starset=Integer.parseInt(start);//将start转化为整数if(starset<1) starset=1;}int pageSize=20;//每页显示信息条数int span=starset+pageSize;int pageCount=(total%pageSize==0)?(total/pageSize):(total/pageSize+1);//计算分页后的总页数ResultSet re=null;re=sql.executeQuery("select * from ( select row_.*, rownum rownum_ from (select * from talent."+inta+" where title like '%"+key+"%' and state='pub' "+entry+" "+entry1+" order by id desc) row_ where rownum <"+span+") where rownum_ >="+starset); while(re.next()){ String art_id=re.getString("id"); String art_title=re.getString("title"); if(art_title.trim().length()>43){art_title=art_title.substring(0,41)+"...";}//首页显示的标题最多为19个字 String art_time=re.getString("pubtime"); art_time=art_time.substring(5,10);%><%sql.close();con.close();%><%@ include file="food.jsp" %>
报错界面:
类型:
数据库:
同一IP下有四个市级地税网站,问题应该是出自apache的配置上,所以都有影响。。。。
危害等级:高
漏洞Rank:11
确认时间:2013-12-10 22:04
暂无